diff options
| author | Nick Kralevich <nnk@google.com> | 2014-06-02 14:49:10 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2014-06-02 15:56:44 -0700 |
| commit | 78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57 (patch) | |
| tree | 604c308a5cbd938551232b2eae4ecb4f495fde9b /untrusted_app.te | |
| parent | 3957ae733f1066efa5d0ae2b03604c0b11549430 (diff) | |
| download | android_external_sepolicy-78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57.tar.gz android_external_sepolicy-78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57.tar.bz2 android_external_sepolicy-78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57.zip | |
add execmod to various app domains
NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.
Addresses the following error / denial:
06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
<4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app
Expected:
App runs
Actual:
App crashes with error above.
Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
Diffstat (limited to 'untrusted_app.te')
| -rw-r--r-- | untrusted_app.te | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/untrusted_app.te b/untrusted_app.te index b7a2cef..50a02da 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app) # Some apps ship with shared libraries and binaries that they write out # to their sandbox directory and then execute. -allow untrusted_app app_data_file:file rx_file_perms; +allow untrusted_app app_data_file:file { rx_file_perms execmod }; allow untrusted_app tun_device:chr_file rw_file_perms; @@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms; allow untrusted_app asec_apk_file:dir { getattr }; allow untrusted_app asec_apk_file:file r_file_perms; # Execute libs in asec containers. -allow untrusted_app asec_public_file:file execute; +allow untrusted_app asec_public_file:file { execute execmod }; # Allow the allocation and use of ptys # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm |